It's a light round of Microsoft Patching this month.  Only four advisories, of which only one is critical.  The sole critical issue this month is the expected Internet Explorer roll up affecting all supported (and likely some unsupported) versions.  This IE roll up addresses 36 privately disclosed Remote Code Execution issues and 1 publically disclosed Information Disclosure issue which is under limited attack in the wild. This will be the top patching priority for this month.

 

Of the three non-critical things this month, two are denial of service issues affecting Lync and Windows/.NET.  The other is an elevation of privilege issue affecting Windows 8/8.1 and Server 2012 & 2012 R2.  The Lync advisory also addresses an XSS which could disclose information of a connecting user. Nothing to ignore, but definitely secondary to the IE issue unless it turns out that some or all of these are under active exploitation.

 

Adobe and Microsoft have released patches to address issues in Adobe Flash.  These issues are grouped by Adobe as APSB14-21, but actually include 12 CVEs which most are top priority patching issues for embedded flash in the browser.  These issues affect Chrome on Mac, Windows and Linux, Internet Explorer 10 and 11, and any browser using the Flash Desktop Runtime.  In effect this is almost everyone with a browser who has Flash support.  These are all high priority issues, though I'm inferring from the disclosure list that they are not active in the wild.

 

It sure doesn't seem like an end is in sight for IE patches, does it?  I think in practical terms, this it not technically, an infinite supply of remote code execution vulnerabilities.  It has to trail off sometime, when most of the codebase has been overhauled, and all the use-after-free type issues have been addressed.  However, I don't know when that will be.  IE is a hugely complex codebase and is deeply integrated with Windows operating systems. Hopefully Microsoft will keep up the intensity they have shown in hunting down and fixing these issues.